Preparing for and Managing a Regulatory Examination

Regulatory examinations are a normal part of our business. They never come at an opportune time, are rarely easy, and are absolutely manageable, especially if you have a strong compliance program. There are a few types of examinations:

• “Scope Exams” – These are typical exams, where the examiner has a set list of items that they are looking for, such as Net Capital/Accounting Exams, Sales Practice Exams, or General Risk Exams.
• “Targeted Exams” – These are generally based on targeted letters or priority letters. Recently we have seen targeted exams in cybersecurity, social media and communications, and trading practices.
• “Cause Exams” – These tend to be the most difficult, as they are generally prompted by prior enforcement actions, customer complaints, self-reporting, or whistleblower items.

An important item to assess when you receive the initial exam contact and letter is which type of exam you will be having. If it is a Cause Exam, speak to your General Counsel or compliance consultants and review your recent complaint history, regulatory history, and self-reporting to see if you have any items which may have triggered the exam. If it is a Scope or Targeted Exam, there are many resources available to find the most recent target letters. This will give you a good “road map” on how to proceed. Regardless of the type of exam, here are a few best practices for preparing and managing the exam from receipt of the letter to your final response:

Preparing for the Exam – Best Practices

• Review the letter and the requests – It is important to do a full review, since there may be different due dates for different items.
• Reach out to the examiner (who will be listed on the letter) a few days after receiving the letter to let them know that you received it. This also gives you the opportunity to ask any questions you may have, voice any concerns over voluminous requests, or ask for an extension of time in responding or providing information.
• If you need more time to provide requested information, ask for it. Give them the reason for your extension request. In my experience, reasonable extension requests are generally approved. Try not to ask for too long (5 business days is the normal amount of time for initial requests) and be sure to let the examiner know that you will be requesting this in writing via email, so that they can reply with their approval. This is an important step for your exam books and records, so retain this email with your exam file.
• Review your Compliance Manuals, Books and Records, and any other items which were requested. If you feel that there may be an issue with any of these items, speak with your General Counsel or Compliance Consultant.

Responding to the Initial Request List

As with most things in the Compliance universe, preparation and organization are the key elements. When responding to request lists by regulators, you should number every item that is requested and put the corresponding number on your response.

• Build a rapport with the examiners. If any request is too large for your staff to handle by the due date, or if you need more time, reach out to the examiner. An important part of managing a regulatory examination is open communication with the examiner. This shows confidence in your abilities to run a compliance program.
• There may be items for which you are unable to provide information, or that are not applicable. In these cases, it’s a good best practice to write a separate memo for each item, with the item number and detail of the item in the header. The memo should consist of the reasons why the item is either not applicable or not available.
• In the event that you find an issue or discrepancy during the course of gathering documentation, the issue should be resolved immediately and brought to the attention of the examiners when they are on site. This is an example of a robust compliance program and one that follows its policies and procedures when a discrepancy is found.
• Whether you keep the responses electronically or in a paper file, you should make 2 copies of each item – 1 for the regulator and 1 for your files. It is also a good best practice to keep a separate electronic file of the information for ease of access. (Plus it takes a lot less room in a file cabinet or box.).
• Send the requested items electronically on the regulator’s encrypted site, if you are provided with one. If you are not provided with one, you should call the examiner and ask their preferred method of delivery. All documents should be encrypted and secured, based on the regulator’s guidance.
• Prior to providing any information in response to a regulatory request, consider whether your firm would like to request confidential treatment of any or all documents you provide in response to the examination. If so, be sure to request confidential treatment in accordance with the Freedom of Information Act (“FOIA”) guidelines prior to submitting documentation and responding to the regulator.

The On-Site Exam

• When the examiners get there, have an appropriate, private if possible, space ready for them. Expect them to be in house for at least a week, possibly more.
• Prepare to have your CCO and other key managers or employees available.
• Be professional, cordial and friendly, but not over-friendly. Remember that this is a regulatory examination.
• Decide beforehand who is the key point of contact for the examination. Let the examiners know during the course of conversation who that key point of contact is. If they have requests, they should go through the contact, who will then relay this request to the CCO.
• If the examiners wish to speak to any employees, the CCO should be the one to arrange this, and should be in any meeting with the examiners
• Do not be afraid to let them know if any requests are voluminous, or extremely large in scope. In general, examiners understand that they are not there to disrupt your business and will have some measure of flexibility in their requests and interviews.
• Make sure to ask questions. A regulatory examination should be a conversation, not a request and response session. If you have questions about what they are looking for, why they are looking for it, or anything else, ask them.
• If the examiners request any information verbally, please ask them to put the request in writing so that you have it for your books and records. This is an important item to remember, so that there is no question to the request or corresponding Firm response.
• If the examiners find a deficiency during the scope of the exam, ask them if you can resolve this during the on-site part of the exam. Many times they will be agreeable, and this could take an item from an exception to a recommendation, and potentially from enforcement to cautionary action.

At the end of the examination, they will have an exit conference and provide you with a preliminary list of exceptions and recommendations. Use this list as a roadmap to your response. If you feel that there are any items on the list that are incorrect, let them know why you feel this way. The exit conference is a chance for the regulators to provide you with guidance on potential issues and the opportunity to discuss them. Also, it is often your best chance to persuade the regulators to your point of view before their opinions begin to be solidified.

Exam Letter and Response

• Within 30 days of your exit conference, you should receive an exam letter, which will detail any exceptions and recommendations. The letter will also contain a response date.
• Like any other regulatory response, your letter should contain either an acceptance and understanding of the exception/recommendation, a reason for the items, and a corrective action.
• You should respond to each item listed in order, with an exhibit number for attachments.
• Attachments could include updated policies and procedures, memos, or any other items which may be responsive to the exception or recommendation.
• It is a good best practice to provide your General Counsel or compliance consultant with a copy of the letter once you receive it, as well as a draft of your response (and exhibits) at least 10 days prior to the due date so they have a chance to review all documents and provide guidance.
• Remember, if you do not believe that the exception or recommendation is correct, it is absolutely your right to put this information in your response letter and back it up with documented evidence whenever possible.
• As stated earlier, keep an open line of communication with the examination team and if you need to request a time extension for the response, call them prior to the due date and make sure that it is in writing.
• Keep a copy of the exit conference memo, exam letter, and your response in your exam file (whether physical or electronic), so that you can go back to it in case of any questions.
• Be sure to review your existing compliance program, policies and procedures once the exam is over to ensure modifications have been made, where necessary, to avoid recidivist findings during the next regulatory exam. Regulators have little forgiveness for firms who have been made aware of a regulatory violation and fail to take corrective action to prevent recurrence.

Regulatory Examinations can be daunting. With the proper preparation and guidance, they can be managed. We are here to help you manage the process from beginning